条件访问:要求将 MFA 用于 Azure 管理Conditional Access: Require MFA for Azure management

组织使用各种 Azure 服务,并通过基于 Azure 资源管理器的工具(如下所示)管理它们:Organizations use a variety of Azure services and manage them from Azure Resource Manager based tools like:

  • Azure 门户Azure portal
  • Azure PowerShellAzure PowerShell
  • Azure CLIAzure CLI

这些工具可以用来对资源进行特权要求很高的访问,可能会更改订阅范围的配置,服务设置和订阅计费。These tools can provide highly privileged access to resources, that can alter subscription-wide configurations, service settings, and subscription billing. 为了保护这些特权资源,Microsoft 建议对任何访问这些资源的用户要求多重身份验证。To protect these privileged resources, Microsoft recommends requiring multi-factor authentication for any user accessing these resources.

排除用户User exclusions

条件访问策略是功能强大的工具,建议从策略中排除以下帐户:Conditional Access policies are powerful tools, we recommend excluding the following accounts from your policy:

  • 紧急访问帐户或不受限帐户,用于防止租户范围的帐户锁定 。Emergency access or break-glass accounts to prevent tenant-wide account lockout. 在极少数情况下,所有管理员都被锁定在租户外,紧急访问管理帐户可用于登录租户,以采取措施来恢复访问。In the unlikely scenario all administrators are locked out of your tenant, your emergency-access administrative account can be used to log into the tenant take steps to recover access.
  • 服务帐户服务主体,例如 Azure AD Connect 同步帐户。Service accounts and service principals, such as the Azure AD Connect Sync Account. 服务帐户是不与任何特定用户关联的非交互式帐户。Service accounts are non-interactive accounts that are not tied to any particular user. 它们通常由允许对应用程序进行编程访问的后端服务使用,但也用于出于管理目的登录到系统。They are normally used by back-end services allowing programmatic access to applications, but are also used to sign in to systems for administrative purposes. 应该排除这样的服务帐户,因为无法以编程方式完成 MFA。Service accounts like these should be excluded since MFA can't be completed programmatically. 服务主体进行的调用不被条件访问阻止。Calls made by service principals are not blocked by Conditional Access.
    • 如果组织在脚本或代码中使用这些帐户,请考虑将它们替换为托管标识If your organization has these accounts in use in scripts or code, consider replacing them with managed identities. 作为临时解决方法,可以从基线策略中排除这些特定帐户。As a temporary workaround, you can exclude these specific accounts from the baseline policy.

创建条件访问策略Create a Conditional Access policy

以下步骤可帮助创建条件访问策略,以要求有权访问 Azure 管理应用的用户执行多重身份验证。The following steps will help create a Conditional Access policy to require those with access to the Azure Management app to perform multi-factor authentication.

  1. 以全局管理员、安全管理员或条件访问管理员的身份登录到 Azure 门户Sign in to the Azure portal as a global administrator, security administrator, or Conditional Access administrator.
  2. 浏览到“Azure Active Directory” > “安全性” > “条件访问” 。Browse to Azure Active Directory > Security > Conditional Access.
  3. 选择“新策略”。Select New policy.
  4. 为策略指定名称。Give your policy a name. 建议组织为其策略的名称创建有意义的标准。We recommend that organizations create a meaningful standard for the names of their policies.
  5. 在“分配”下,选择“用户和组”Under Assignments, select Users and groups
    1. 在“包括”下,选择“所有用户”。 Under Include, select All users.
    2. 在“排除”下选择“用户和组”,然后选择组织的紧急访问帐户或不受限帐户。Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.
    3. 选择“完成” 。Select Done.
  6. 在“云应用或操作” > “包括”下,依次选择“选择应用”、“Azure 管理”、“选择”、“完成”。 Under Cloud apps or actions > Include, select Select apps, choose Azure Management, and select Select then Done.
  7. 在“条件” > “客户端应用(预览版)”下,在“选择该策略应用到的客户端应用”下保留选择的所有默认值,然后选择“完成” 。Under Conditions > Client apps (Preview), under Select the client apps this policy will apply to leave all defaults selected and select Done.
  8. 在“访问控制” > “授予”下,依次选择“"授予访问权限”、“需要多重身份验证”和“选择”。Under Access controls > Grant, select Grant access, Require multi-factor authentication, and select Select.
  9. 确认设置,然后将“启用策略”设置为“打开”。 Confirm your settings and set Enable policy to On.
  10. 选择“创建”,以便创建启用策略所需的项目。Select Create to create to enable your policy.

后续步骤Next steps

条件访问常见策略Conditional Access common policies

使用条件访问 What If 工具模拟登录行为Simulate sign in behavior using the Conditional Access What If tool